Security updates to help protect against Meltdown, Spectre attacks starting to roll out

Software and hardware companies are starting to roll out updates to help mitigate the impact of the Meltdown and Spectre security vulnerabilities disclosed this week, which could allow malware to access protected data such as passwords or encryption keys from a computer or server.

Google says it’s already rolled out updates to help protect Android and Chrome OS users, although if you’ve got a phone from a vendor that rarely (if ever) offers security updates, you might be out of luck.

Microsoft has released an update to Windows (although some folks may have to wait a little while if they have an incompatible anti-virus program running on their PC).

Update: Apple has weighed in, confirming its Mac and iOS devices are affected. The company says recent software updates for macOS, tvOS and iOS help mitigate the vulnerabilities, and that upcoming updates to the Safari web browser will help mitigate risk from Spectre.

And Intel says it’s released updates for “the majority of processors” released in the past 5 years, with plans to have updates for 90 percent of all processors released in that time frame by the end of the week. Since most PC users don’t get firmware updates from Intel though, you may need to check to with the manufacturer of your PC to see if an update is available.

So what do all of these updates do, and how will it affect your PC’s performance?

That’s kind of an open question for now. Researchers disclosed three different security exploit variants, one of which is classified as a “Meltdown” attack, and other two of which are “Spectre.”

The Meltdown vulnerability seems to primarily affect Intel processors and possibly some ARM-based chips, but not AMD processors. The good news is that software and firmware updates will likely help protect you against these Meltdown attacks. The bad news is that they do this by changing the way chips use memory, which could have an impact on processing speed in some situations.

So it’s possible that claims that the security patches could slow down PCs by anywhere from 5 to 30 percent may have been overblown. But the impact is definitely workload-dependent, so while you might not see any change when performing some tasks, you may see some slowdown depending on the CPU you’re using and the activity you’re trying to use a computer for.

For the most part, the updates that are rolling out are meant to protect users against Meltdown attacks. The Spectre class of exploits expose a brand new type of vulnerability that’s not as well understood. While Intel and others say they have updates that can help mitigate certain types of Spectre attacks, it’s unclear for now whether it’s possible to completely protect a computer from Spectre via software updates alone. The good news, if there is any, is that it’s also harder for an attacker to set up a Spectre attack.

That said, despite Intel’s claims that the update it’s rolling out will render PCs and servers “immune” from both exploits, I don’t think anyone knows for certain whether that’s actually true at this point.

Ultimately, chip makers will probably have to take these vulnerabilities into account when designing future processors in order to fully protect users. But since virtually all modern smartphone, tablet, PC, and server processors already on the market are vulnerable to one or more of these exploits, it’s no surprise that companies are rushing to release software updates to help protect users.

Odds are the computer you’re currently using has a processor that is vulnerable. There’s currently no new computer you can buy that is completely safe. And there may not be for some time to come. If Intel wants to continue selling chips, if Microsoft wants to keep selling software, and if Google wants you to keep looking at ads (in the Chrome browser or on your Android phone), they’re all going to do their best to keep you protected.

I guess we’ll find out in the coming months whether their best is good enough.

Liliputing’s primary sources of revenue are advertising and affiliate links (if you click the “Shop” button at the top of the page and buy something on Amazon, for example, we’ll get a small commission).

But there are several ways you can support the site directly even if you’re using an ad blocker and hate online shopping.

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

OK my question, assuming that all Intel (and AMD to a lesser extent) CPUs are affected, including ones that are in existing upcoming PCs this year, is what of the announced-but-not-yet-manufactured processors from Intel & AMD? Will they be fixed for the Meltdown/Spectre flaws before rolling out, or is this flaw a new reality going forward for new PCs and devices for the next couple of years?

I’m not bitter at the prospect of having my PCs slower, but I would like to have some idea of when this pervasive flaw will be fixed at the source going forward.

Vote Up1Vote Down Reply

1 year ago

Guest

ThornC

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

This is more complicated than it seems. CPUs available today and to be made available during the coming months were designed a long time ago (most of it anyway), changing this part is not going to happen that fast – hope I am wrong.

One of the last articles of the register [1] has quite a bit of information about the whole issue. Including a recommendation by CERT to throw away your CPU, in the mean time updated to something less drastic.

What we need to understand is that this is serious and that the whole industry will suffer, specially if someone comes up with a viable attack/exploit and puts in the wild.

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

You can flag a comment by clicking its flag icon. Website admin will know that you reported it. Admins may or may not choose to remove the comment or block the author. And please don't worry, your report will be anonymous.

Supposedly, these CPUs take on the order of 5-10 years (per Bloomberg radio guests so not exactly from a very technical source) from design to rollout and that it’ll be many years until it’s fixed at the hardware level.